The U.S. Department of Health and Human Services (“HHS”) recently issued a “Fact Sheet” which discusses ransomware attack prevention and recovery under HIPAA, as well as the management of HIPAA breach notification procedures in response to a ransomware attack. According to the Fact Sheet, “ransomware” is a type of malicious software by which a hacker gains access to electronic data and then encrypts it with a key known only to the hacker, such that the data owner is denied access to it. The Fact Sheet provides helpful descriptions and specific examples of how the requirements of the security regulations under HIPAA (the “Security Rules”), which govern the confidentiality of a HIPAA covered entity’s electronic protected health information (“EPHI”), may be applied to prevent, detect, and recover from infections of EPHI by ransomware. Importantly, the Fact Sheet also explains HHS’s view that a ransomware infection of unsecured EPHI on a computer… Continue Reading
CMS has posted an updated Marketplace Employer Appeal Request Form dated July 2016. The updated form includes formatting changes to the contact information sections and is available here.
The IRS recently released draft instructions for Forms 1094/1095 that correspond with the draft Forms 1094/1095 the IRS released in July (please see our prior blog post on the draft forms here). Highlights of the changes and clarifications in the draft instructions for Forms 1094/1095 include: Certain transition relief available in 2015 remains available for non-calendar year plans for the portion of the 2015 plan year that ends in 2016; Certain coding used in Forms 1094-C/1095-C has been reserved for 2016; and Retirees who separated from employment should be reported the same as COBRA participants who separated from employment. Filing Dates and Extensions: To the IRS. The 2016 Form(s) 1094-C and accompanying Forms 1095-C must be filed electronically with the IRS by March 31, 2017 (February 28, 2017 if paper filing is used). An automatic 30-day extension is available if filed no later than the due date. Another 30-day extension may… Continue Reading
IRS Issues Proposed Regulations Addressing Certain Minimum Essential Coverage Reporting Issues Under Code Section 6055
The IRS issued proposed regulations on August 2, 2016, clarifying certain minimum essential coverage (“MEC”) reporting issues related to IRS Forms 1095-B and 1095-C, Part III. Form 1095-B is used to report MEC by insurance carriers for fully-insured MEC and by small employers with self-insured MEC who are not otherwise subject to the employer shared responsibility provisions of the Affordable Care Act. Form 1095-C, Part III is used by large employers with self-insured MEC. A change that is of significant interest to reporting entities is the revised safe harbor for soliciting TINs (e.g., SSNs) from covered participants. The revised safe harbor still requires up to three attempts to obtain a covered participant’s TIN pursuant to specific procedures set out in the proposed regulations. The covered participant’s date of birth may continue to be used as a substitute for solicited TINs missing when reporting is due. A reporting entity does not… Continue Reading
The OCR recently issued three guidance documents in response to questions received from covered entities currently under audit: (1) a list of all Q&As received from audited entities; (2) a table showing the documents OCR requested for each audit protocol and the Q&As associated with that audit protocol; and (3) slides from an OCR webinar for audited entities. The OCR is currently auditing covered entities, such as employer-sponsored group health plans, for compliance with HIPAA’s privacy and security rules. This new guidance should be helpful to plan sponsors, as well as to HIPAA Privacy and Security Officials, in their ongoing HIPAA compliance efforts. View the three guidance documents.
The U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”), recently entered into a $5.55 million settlement agreement with Advocate Health Care Network and its subsidiaries (“Advocate”) to resolve multiple potential violations of HIPAA involving electronic protected health information (“EPHI”). The settlement results from OCR’s investigation of Advocate which began in 2013 after Advocate submitted three breach notification reports to OCR within a three-month timespan. The reported breaches involved (1) the theft from one of Advocate’s support centers of four desktop computers containing unsecured EPHI of nearly four million individuals, (2) unauthorized access of unsecured EPHI from the computer network of Advocate’s business associate (“BA”), and (3) the theft of a laptop containing unsecured EPHI from an Advocate workforce member’s vehicle. Upon its investigation, OCR determined that Advocate failed to (a) conduct an accurate and thorough risk analysis related to its utilization of EPHI, (b) implement… Continue Reading
Ninth Circuit Holds that “Church Plan” Must Be Established By a Church or Convention or Association of Churches
The U.S Court of Appeals for the Ninth Circuit affirmed a district court decision that a church plan must be established by a church or by a convention or association of churches in order to be exempt from ERISA as a “church plan.” Under the court’s interpretation of the church plan exemption, it is not enough that the plan is maintained by a church-controlled or church-affiliated organization whose principal purpose or function is to provide benefits to church employees. The case was remanded to the district court for further proceedings. The opinion in Rollins v. Dignity Health, No. 15-15351 (9th Cir. July 26, 2016) is available here.
On July 1, 2016, the DOL issued an interim final rule that adjusts the amounts of civil penalties assessed or enforced in its regulations, including for violations of ERISA. The penalties that were increased include the following, among many others: (1) the penalty for a failure to properly file a pension or welfare plan’s Form 5500 increased from up to $1,100 per day to up to $2,063 per day; (2) the penalty for a failure to notify participants of certain benefit restrictions under Code Section 436 or to furnish automatic contribution arrangement notices increased from up to $1,000 per day to up to $1,632 per day; (3) the penalty for a failure to provide notices of blackout periods, or notice of the right to divest employer securities, increased from up to $100 per day to up to $131 per day; and (4) the penalty for a failure to provide employees… Continue Reading
The IRS recently announced new requirements for determination letter applications for defined benefit plans. Applicants must identify, either in the cover letter to the application or in an attachment, whether the plan contains language which allows participants already receiving annuity payments to accelerate their remaining payments by receiving a lump sum in lieu of a future annuity stream. If the plan does contain such language, also identify whether it satisfies one of the four “Pre-Notice Acceleration” conditions in Notice 2015-49. If the applicant states that such risk transfer language is included in the plan and it satisfies one of the conditions in Notice 2015-49, then the IRS will issue a determination letter with a favorable caveat providing reliance on the risk transfer language. Plans with risk transfer language that don’t meet one of the conditions in Notice 2015-49 will not receive a determination letter unless the risk transfer language is… Continue Reading
In May, we provided information about the release of final HHS regulations implementing ACA Section 1557 and their potential effects on healthcare providers, insurers, and employer-provided healthcare coverage. Chris Beinecke wrote an article discussing these implications in greater detail. A link to this article, which was recently published in the Dallas Business Journal, is available here.